API resource scopes are not returned in jwt bearer grant #21009

ShehanDinuka · 2024-08-29T07:46:54Z

Describe the issue:

The API resource scopes are not returned in the JWT bearer grant. Below is the token request for reference:

curl --location --request POST 'https://localhost:9443/oauth2/token?grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzaGVoYW4iLCJpc3MiOiJ0ZXN0bG9jYWxob3N0IiwiYXVkIjoidGVzdGxvY2FsaG9zdCIsImV4cCI6MTcyNDM0ODcyNiwiaWF0IjoxNzI0MzQ3NzI2LCJuYmYiOjE3MjQzNDc3MjYsImp0aSI6ImM0MmU2ZDE2LTA4OTgtNDRmNS1hNWFhLWIyMmVkNzQ3OGQ1ZSIsInJvbGVzIjoiUm9sZTMiLCJ2ZXJzaW9uIjoiMy4wIn0.FolxYnE-xG3652iLRl2gAatEc5SqIFAhO6tkS29s7jKkEfSQM5ss07W42KwdYftpLRVKSUPqzY9sxw6yVEJIwN52iEhlD7RamuMj1cFRuNpweO3cJ06Dj6DDmQg4HS92VkqlSEB7LYs9Zciqjbd7hTONrwLaMh3TbVy6IVwL_mF_R0hhneIzEefWJrnRvozJnF2qTKyvQZgfPVCkwsAtxR7iOP-nI8Eito83wI85e_KZdypX-nzxQkbkfJK90HjSbtj-42uRTkB7zLJjPNato7Q3yGwsYLX2oQuFfUdkVsLgNcL9I6qrZMSBsjgHdMWXapGTSyXDsLAx9HsST34kJQ&scope=openid%20test_api_scope%20roles' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic aXNJR3NKZHdjU0lCaUlpYnpuWncwenkzVXpnYTpUT0JCWEVrUnh6TnVXcUh5TTJhRTJ1aEZZZW1tWW5BMEoycE9ubTFyTUpFYQ=='

Following is the payload of the assertion.

{
  "sub": "shehan",
  "iss": "testlocalhost",
  "aud": "testlocalhost",
  "exp": 1724348726,
  "iat": 1724347726,
  "nbf": 1724347726,
  "jti": "c42e6d16-0898-44f5-a5aa-b22ed7478d5e",
  "roles": "Role3",
  "version": "3.0"
}

To return API authorization scopes, the user's role is validated against the API resource roles. However, this process fails when listing user roles at point [1].

How to reproduce:

Create API resources and scopes for the particular API resource
Create a role and assign created API resource scope
Create user and assign the created role (This user is used as sub attribute in the assertion payload)
Create an application and configure created API authorization to the application as well as requested attributes
Create and configure Trusted Token Issuer connection for JWT bearer grant
Execute above JWT bearer token request and observe API authorization scopes are not returned

Expected behavior:

The requested API authorization scopes should be returned after validating the user's roles.

Environment information (Please complete the following information; remove any unnecessary fields) :

Product Version: [IS 7.0]
OS: [Mac]
Database: [MySQL]
Userstore: [JDBC]

The text was updated successfully, but these errors were encountered:

SujanSanjula96 · 2025-01-22T00:47:24Z

Fix PRs -
wso2/carbon-identity-framework#6305
wso2-extensions/identity-inbound-auth-oauth#2682
wso2-extensions/identity-oauth2-grant-jwt#76

ShehanDinuka mentioned this issue Sep 14, 2024

Custom scopes are not resolving without the 'openid' scope in the JWT bearer grant #21112

Closed

aaujayasena added the U2 label Nov 26, 2024

isharak added the Type/Bug label Dec 17, 2024

SujanSanjula96 self-assigned this Jan 22, 2025

SujanSanjula96 added this to Identity Server 7.1.0 Jan 28, 2025

SujanSanjula96 moved this to Done in Identity Server 7.1.0 Jan 28, 2025

SujanSanjula96 closed this as completed by moving to Done in Identity Server 7.1.0 Jan 28, 2025

SujanSanjula96 added this to the 7.1.0-alpha milestone Jan 28, 2025

nilasini added the Fixed/7.1.0 label Jan 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

API resource scopes are not returned in jwt bearer grant #21009

API resource scopes are not returned in jwt bearer grant #21009

ShehanDinuka commented Aug 29, 2024

SujanSanjula96 commented Jan 22, 2025

API resource scopes are not returned in jwt bearer grant #21009

API resource scopes are not returned in jwt bearer grant #21009

Comments

ShehanDinuka commented Aug 29, 2024

SujanSanjula96 commented Jan 22, 2025